[ 44.468440] audit: type=1800 audit(1555422361.416:27): pid=5283 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2469 res=0
[ 44.487955] audit: type=1800 audit(1555422361.416:28): pid=5283 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2450 res=0
[....] Starting periodic command scheduler: cron�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[....] Starting OpenBSD Secure Shell server: sshd�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[ 45.313264] audit: type=1800 audit(1555422362.306:29): pid=5283 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0
[ 45.332728] audit: type=1800 audit(1555422362.306:30): pid=5283 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0
Debian GNU/Linux 7 syzkaller ttyS0
Warning: Permanently added '10.128.0.182' (ECDSA) to the list of known hosts.
executing program
syzkaller login: [ 55.848045] usb 1-1: new high-speed USB device number 2 using dummy_hcd
[ 56.087986] usb 1-1: Using ep0 maxpacket: 8
[ 56.208018] usb 1-1: config 0 has an invalid interface number: 28 but max is 0
[ 56.215531] usb 1-1: config 0 has no interface number 0
[ 56.221052] usb 1-1: New USB device found, idVendor=04fa, idProduct=2490, bcdDevice=74.f9
[ 56.229474] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
[ 56.238621] usb 1-1: config 0 descriptor??
[ 56.478183] ==================================================================
[ 56.485777] BUG: KASAN: use-after-free in ds_probe+0x604/0x760
[ 56.491755] Read of size 1 at addr ffff88821b13c202 by task kworker/0:2/532
[ 56.498836]
[ 56.500458] CPU: 0 PID: 532 Comm: kworker/0:2 Not tainted 5.1.0-rc4-319354-g9a33b36 #3
[ 56.508510] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 56.517892] Workqueue: usb_hub_wq hub_event
[ 56.522206] Call Trace:
[ 56.524809] dump_stack+0xe8/0x16e
[ 56.528339] ? ds_probe+0x604/0x760
[ 56.532045] ? ds_probe+0x604/0x760
[ 56.535656] print_address_description+0x6c/0x236
[ 56.540636] ? ds_probe+0x604/0x760
[ 56.544247] ? ds_probe+0x604/0x760
[ 56.547858] kasan_report.cold+0x1a/0x3c
[ 56.551914] ? ds_probe+0x604/0x760
[ 56.555525] ds_probe+0x604/0x760
[ 56.558995] usb_probe_interface+0x31d/0x820
[ 56.563392] ? usb_probe_device+0x150/0x150
[ 56.567711] really_probe+0x2da/0xb10
[ 56.571498] driver_probe_device+0x21d/0x350
[ 56.575910] __device_attach_driver+0x1d8/0x290
[ 56.580573] ? driver_allows_async_probing+0x160/0x160
[ 56.585837] bus_for_each_drv+0x163/0x1e0
[ 56.589971] ? bus_rescan_devices+0x30/0x30
[ 56.594275] ? _raw_spin_unlock_irqrestore+0x4b/0x60
[ 56.599367] ? lockdep_hardirqs_on+0x37e/0x580
[ 56.603949] __device_attach+0x223/0x3a0
[ 56.607998] ? device_bind_driver+0xe0/0xe0
[ 56.612322] ? kobject_uevent_env+0x295/0x13d0
[ 56.616888] bus_probe_device+0x1f1/0x2a0
[ 56.621038] ? blocking_notifier_call_chain+0x59/0xb0
[ 56.626214] device_add+0xad2/0x16e0
[ 56.629914] ? get_device_parent.isra.0+0x560/0x560
[ 56.634929] ? _raw_spin_unlock_irqrestore+0x4b/0x60
[ 56.640041] usb_set_configuration+0xdf7/0x1740
[ 56.644703] generic_probe+0xa2/0xda
[ 56.648405] usb_probe_device+0xc0/0x150
[ 56.652466] ? usb_suspend+0x5f0/0x5f0
[ 56.656355] really_probe+0x2da/0xb10
[ 56.660142] driver_probe_device+0x21d/0x350
[ 56.664544] __device_attach_driver+0x1d8/0x290
[ 56.669197] ? driver_allows_async_probing+0x160/0x160
[ 56.674459] bus_for_each_drv+0x163/0x1e0
[ 56.678601] ? bus_rescan_devices+0x30/0x30
[ 56.682919] ? _raw_spin_unlock_irqrestore+0x4b/0x60
[ 56.688018] ? lockdep_hardirqs_on+0x37e/0x580
[ 56.692595] __device_attach+0x223/0x3a0
[ 56.696641] ? device_bind_driver+0xe0/0xe0
[ 56.700964] ? kobject_uevent_env+0x295/0x13d0
[ 56.705535] bus_probe_device+0x1f1/0x2a0
[ 56.709685] ? blocking_notifier_call_chain+0x59/0xb0
[ 56.714877] device_add+0xad2/0x16e0
[ 56.718610] ? get_device_parent.isra.0+0x560/0x560
[ 56.723701] usb_new_device.cold+0x537/0xccf
[ 56.728103] hub_event+0x138e/0x3b00
[ 56.731810] ? hub_port_debounce+0x350/0x350
[ 56.736212] ? _raw_spin_unlock_irq+0x29/0x40
[ 56.740699] process_one_work+0x90f/0x1580
[ 56.744921] ? wq_pool_ids_show+0x300/0x300
[ 56.749235] ? do_raw_spin_lock+0x11f/0x290
[ 56.753552] worker_thread+0x9b/0xe20
[ 56.757347] ? process_one_work+0x1580/0x1580
[ 56.761919] kthread+0x313/0x420
[ 56.765269] ? kthread_park+0x1a0/0x1a0
[ 56.769251] ret_from_fork+0x3a/0x50
[ 56.773206]
[ 56.774820] Allocated by task 5429:
[ 56.778463] __kasan_kmalloc.constprop.0+0xbf/0xd0
[ 56.783379] ext4_readdir+0x1bee/0x2d10
[ 56.787338] iterate_dir+0x481/0x5e0
[ 56.791036] __x64_sys_getdents+0x1e2/0x370
[ 56.795345] do_syscall_64+0xcf/0x4f0
[ 56.799151] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 56.804342]
[ 56.805969] Freed by task 5429:
[ 56.809244] __kasan_slab_free+0x130/0x180
[ 56.813471] slab_free_freelist_hook+0x5e/0x140
[ 56.818125] kfree+0xce/0x290
[ 56.821236] ext4_release_dir+0x4e/0x60
[ 56.825195] __fput+0x2df/0x8c0
[ 56.828461] task_work_run+0x149/0x1c0
[ 56.832680] exit_to_usermode_loop+0x243/0x270
[ 56.837263] do_syscall_64+0x40c/0x4f0
[ 56.841159] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 56.846333]
[ 56.847958] The buggy address belongs to the object at ffff88821b13c1e0
[ 56.847958] which belongs to the cache kmalloc-64 of size 64
[ 56.860432] The buggy address is located 34 bytes inside of
[ 56.860432] 64-byte region [ffff88821b13c1e0, ffff88821b13c220)
[ 56.872124] The buggy address belongs to the page:
[ 56.877057] page:ffffea00086c4f00 count:1 mapcount:0 mapping:ffff88812c3f5600 index:0x0
[ 56.885200] flags: 0x57ff00000000200(slab)
[ 56.889423] raw: 057ff00000000200 dead000000000100 dead000000000200 ffff88812c3f5600
[ 56.897298] raw: 0000000000000000 00000000802a002a 00000001ffffffff 0000000000000000
[ 56.905182] page dumped because: kasan: bad access detected
[ 56.910875]
[ 56.912485] Memory state around the buggy address:
[ 56.917408] ffff88821b13c100: fc fc fc fc fb fb fb fb fb fb fb fb fc fc fc fc
[ 56.924750] ffff88821b13c180: 00 00 00 00 00 00 fc fc fc fc fc fc fb fb fb fb
[ 56.932099] >ffff88821b13c200: fb fb fb fb fc fc fc fc 00 00 00 00 00 00 00 00
[ 56.944044] ^
[ 56.947393] ffff88821b13c280: fc fc fc fc fb fb fb fb fb fb fb fb fc fc fc fc
[ 56.954730] ffff88821b13c300: fb fb fb fb fb fb fb fb fc fc fc fc 00 00 00 00
[ 56.962232] ==================================================================
[ 56.969572] Disabling lock debugging due to kernel taint
[ 56.975431] Kernel panic - not syncing: panic_on_warn set ...
[ 56.981335] CPU: 0 PID: 532 Comm: kworker/0:2 Tainted: G B 5.1.0-rc4-319354-g9a33b36 #3
[ 56.990775] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 57.000142] Workqueue: usb_hub_wq hub_event
[ 57.004478] Call Trace:
[ 57.007085] dump_stack+0xe8/0x16e
[ 57.010634] panic+0x29d/0x5f2
[ 57.013829] ? __warn_printk+0xf8/0xf8
[ 57.017725] ? retint_kernel+0x10/0x10
[ 57.021619] ? trace_hardirqs_on+0x55/0x1c0
[ 57.025940] ? ds_probe+0x604/0x760
[ 57.029581] end_report+0x48/0x4e
[ 57.033036] ? ds_probe+0x604/0x760
[ 57.036656] kasan_report.cold+0xd/0x3c
[ 57.040630] ? ds_probe+0x604/0x760
[ 57.044252] ds_probe+0x604/0x760
[ 57.047703] usb_probe_interface+0x31d/0x820
[ 57.052191] ? usb_probe_device+0x150/0x150
[ 57.056513] really_probe+0x2da/0xb10
[ 57.060309] driver_probe_device+0x21d/0x350
[ 57.064713] __device_attach_driver+0x1d8/0x290
[ 57.069375] ? driver_allows_async_probing+0x160/0x160
[ 57.074650] bus_for_each_drv+0x163/0x1e0
[ 57.078796] ? bus_rescan_devices+0x30/0x30
[ 57.083130] ? _raw_spin_unlock_irqrestore+0x4b/0x60
[ 57.088410] ? lockdep_hardirqs_on+0x37e/0x580
[ 57.092995] __device_attach+0x223/0x3a0
[ 57.097068] ? device_bind_driver+0xe0/0xe0
[ 57.101399] ? kobject_uevent_env+0x295/0x13d0
[ 57.105982] bus_probe_device+0x1f1/0x2a0
[ 57.110149] ? blocking_notifier_call_chain+0x59/0xb0
[ 57.115429] device_add+0xad2/0x16e0
[ 57.119161] ? get_device_parent.isra.0+0x560/0x560
[ 57.124186] ? _raw_spin_unlock_irqrestore+0x4b/0x60
[ 57.129395] usb_set_configuration+0xdf7/0x1740
[ 57.134087] generic_probe+0xa2/0xda
[ 57.137803] usb_probe_device+0xc0/0x150
[ 57.141859] ? usb_suspend+0x5f0/0x5f0
[ 57.145758] really_probe+0x2da/0xb10
[ 57.149559] driver_probe_device+0x21d/0x350
[ 57.153966] __device_attach_driver+0x1d8/0x290
[ 57.158632] ? driver_allows_async_probing+0x160/0x160
[ 57.163907] bus_for_each_drv+0x163/0x1e0
[ 57.168056] ? bus_rescan_devices+0x30/0x30
[ 57.172389] ? _raw_spin_unlock_irqrestore+0x4b/0x60
[ 57.177494] ? lockdep_hardirqs_on+0x37e/0x580
[ 57.182092] __device_attach+0x223/0x3a0
[ 57.186167] ? device_bind_driver+0xe0/0xe0
[ 57.190518] ? kobject_uevent_env+0x295/0x13d0
[ 57.195114] bus_probe_device+0x1f1/0x2a0
[ 57.199269] ? blocking_notifier_call_chain+0x59/0xb0
[ 57.204474] device_add+0xad2/0x16e0
[ 57.208216] ? get_device_parent.isra.0+0x560/0x560
[ 57.213333] usb_new_device.cold+0x537/0xccf
[ 57.217766] hub_event+0x138e/0x3b00
[ 57.221501] ? hub_port_debounce+0x350/0x350
[ 57.225951] ? _raw_spin_unlock_irq+0x29/0x40
[ 57.230466] process_one_work+0x90f/0x1580
[ 57.234705] ? wq_pool_ids_show+0x300/0x300
[ 57.239027] ? do_raw_spin_lock+0x11f/0x290
[ 57.243360] worker_thread+0x9b/0xe20
[ 57.247167] ? process_one_work+0x1580/0x1580
[ 57.251657] kthread+0x313/0x420
[ 57.255018] ? kthread_park+0x1a0/0x1a0
[ 57.258998] ret_from_fork+0x3a/0x50
[ 57.263424] Kernel Offset: disabled
[ 57.267051] Rebooting in 86400 seconds..